SLAAC on a FortiGate 200D

SLAAC is my prefered form of address provisioning in IPv6. Interfaces derive their identifier from the MAC address [EUI-64 Format, RFC4291] and are thus unique.

You can easily configure it on the a router interface and instantly have IPv6 connectivity in the network behind it. Combined with a DNS server, you will have just as little complexity as with legacy IP.
I will cover some exceptions to DNS later in this post.

In my first real post here I want to cover the SLAAC settings for a FortiGate 200D with FortiOS 5.4.
Configuring SLAAC is currently only possible on the command line. So SSH to your router and go for it:

~$ config system interface
~$   edit MyNetwork
~$     config ipv6
~$       set ip6-address 2001:db8::1/64
~$       set ip6-send-adv enable
~$         config ip6-prefix-list
~$           edit 2001:db8::/64
~$             set autonomous-flag enable
~$             set onlink-flag enable
~$           next
~$          end
~$       end
~$   end

Sadly FortiOS 5.4 does not support RFC6106, which would unlock the ability to send DNS information via Router Advertisements. So in my described setup you will end up with a working IPv6 network, that has no way to figure out where to resolve addresses. Legacy IP to the rescue!
The networks I currently work in are mostly dual stack, so there is a working DNS connection via legacy IP which will also hand out AAAA records, if available. Happy Eyeballs protocol will do the rest.

Trivia: In 2015 an Apple network engineer wrote an the v6ops mailing list, that Mac OS X 10.11 will ship with a modified implementation of Happy Eyeballs, which will prefer IPv6 over legacy IP.

Sebastian Herzberg

Read more posts by this author.